UK Information Commissioner targets firm selling vetting data

Current News Updates

UK Information Commissioner targets firm selling vetting data

The Information Commissioner's Office (ICO) has taken stringent enforcement action against a business that it believes has been selling data about construction industry workers to prospective employees.

The action against the Consulting Association is further evidence of the proactive enforcement activity being adopted by the ICO. It's an interesting case study of the range of powers that the ICO has to:

obtaining a warrant to obtain entry

issuing enforcement notice to effectively cease using the data

the threat of criminal sanctions because they had also failed to register with the ICO.

The impact may well be to close this business down, which is proof that the ICO is far from being a toothless tiger amongst regulators.

Perhaps of greater impact, though, is the involvement of some household names in the case. In a world where the use of vetting seems to be increasing, whether driven by heightened security concerns or otherwise, this provides a cautionary tale.

To some, it will be surprising that some well–known construction businesses have become caught up in this. What isn't known at this stage is how those businesses interacted with the Consulting Association, but it would appear from press reports that they, too, now face investigation by the ICO.

This case highlights a number of key compliance issues in respect of vetting practice but there are some practical steps that can be taken.

First and foremost, vetting should not be done as a general fishing exercise but only to address specific justifiable risks where the information can't be reasonably obtained elsewhere.

Secondly, if you are going to engage in staff vetting it should be done on an open and consensual basis. You should inform the individual about the nature of the investigation being undertaken and what you will do with the information, and get their consent.

You should select with care who you engage to provide information to you. This is because under the legislation it will be the purchaser of that information, as the data controller, who is responsible for ensuring that that information it processes has been collected and is used in compliance with the legislation.

Due diligence should be exercised: ask questions about how they collect their data. If in doubt, don't use it.

Make sure you have a contract for supply of the data and check that it has provisions in it that give you assurances that the information has been collected in a manner which is compliant with the Data Protection Act (DPA) and that its transfer and use by you will also be compliant (preferably supported by an indemnity).

There should be a feedback loop to the individual so that they are aware of the reason for the decision. It's worth remembering, too, that the individual can raise an access request under the DPA to find out what information you have about them.

Be very careful if you are going to place reliance on the information obtained to make the recruitment decision. Is it reliable enough? Some reports suggest that the nature of the information stored may give difficulties for an employer who actually took a decision not to recruit on the basis of the information. For example, if a business decided not to recruit the otherwise best candidate on the basis of their union membership, that could give rise to a claim. If proven (which of course can be difficult), compensation could be substantial.

Guidance has been issued by the ICO under the Employment Practices Code in connection with pre–employment vetting. (View ICO guidance )

If there are some lessons to be learnt from this case, perhaps the main one for employers is to stop and think about whether they need to be vetting and then to ensure that any information they do buy in has been lawfully obtained. If not, they can find themselves on the wrong end of an ICO investigation and, as in this case, unwelcome public relations.